Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
5
Helpful
2
Replies

CSS. loosing login/pass info due to redirection http -> https

kreshetnikov
Level 1
Level 1

‎06-14-2007 03:09 AM

Hi,

I have sort of a problem with CSS 11501 (ios 8.20.1.01).

The desigh is:

client(http) -internet-> router -> checkpoint(nat) -> css -> backe-end server. CSS, checkpoind, back-end server are in the same subnet. CSS performs SSL termination.

I want to have automatic redirection from http to https, so when the remote client connects to CSS with http he's redirected to https. The client enter login/pass info but this info is lost after redirection and it's nesessary to enter login/pass again.

Note: If I connect to https directly I'm able to login without problems.

CSS config:

!************************** CIRCUIT **************************

circuit VLAN112

ip address 10.112.0.3 255.255.0.0

circuit VLAN114

ip address 10.114.0.3 255.255.0.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list rrssl1

ssl-server 1

ssl-server 1 dhparam ...

ssl-server 1 rsacert ...

ssl-server 1 rsakey ...

ssl-server 1 cipher rsa-export1024-with-des-cbc-sha 10.112.0.107 80

ssl-server 1 vip address 10.112.0.241

!************************** SERVICE **************************

service secure-transfer

type redirect

no prepend-http

ip address 2.2.2.2

keepalive type none

domain "https://test1.abc.com"

active

service sslservice

type ssl-accel

add ssl-proxy-list rrssl1

slot 2

keepalive type none

active

!*************************** OWNER ***************************

owner test

content default-redirect

protocol tcp

port 80

url "/*"

vip address 10.112.0.241

add service secure-transfer

active

content ssl-rule

protocol tcp

port 443

add service sslservice

vip address 10.112.0.241

active

Tnx a lot in advance for any comments.

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎06-14-2007 03:33 AM

the CSS itself is not involved in the login process.

If you have to login in HTTP, it means the login is requested before you get to the CSS.

[the CSS would just forward a redirect and will not request any login and will not connect to the server].

So, the checkpoint firewall is probably doing the login.

You should check there for help.

Gilles.

kreshetnikov
Level 1
Level 1
In response to Gilles Dufour

‎06-14-2007 04:10 AM

The back-end server performed authentication after redirection http -> https, the firewall does no authentication. The problem was solved , unfortunatly it was not an issue that could be resolved via the css. We had to resort to manually editing the html file.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents